Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-05-2024 11:49
Behavioral task
behavioral1
Sample
22f94cd50a4bdc1838b4c63a8e45a56baa91609f0aea18bbf2dac1458d5930fc.exe
Resource
win10v2004-20240426-en
General
-
Target
22f94cd50a4bdc1838b4c63a8e45a56baa91609f0aea18bbf2dac1458d5930fc.exe
-
Size
1.7MB
-
MD5
a17bd6b4ee07b365e33aa38df7fedefa
-
SHA1
9a2c7bffa09f139dc6e3bf8182c82b4aba8d7bf6
-
SHA256
22f94cd50a4bdc1838b4c63a8e45a56baa91609f0aea18bbf2dac1458d5930fc
-
SHA512
7e4f0315371f75c72a78f306d4714f0e812d465fe3759526aa3c1e5a81c6de8e43c0468caa3e5814e115309a5e2da9576c8cdef7b10bc1517406454fbdbf049b
-
SSDEEP
24576:+h6b17zWRBRpQuc5jqqPKouPsVsAVrTgpgbGhAVeNegaQ1A/kVabFHue7pv03DG3:+c7zW1pQuujjuPsVZrHGhUekZPSeCfNW
Malware Config
Extracted
amadey
4.20
http://5.42.96.141
http://5.42.96.7
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amers.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 57d287bc18.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 22f94cd50a4bdc1838b4c63a8e45a56baa91609f0aea18bbf2dac1458d5930fc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 22f94cd50a4bdc1838b4c63a8e45a56baa91609f0aea18bbf2dac1458d5930fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 57d287bc18.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 22f94cd50a4bdc1838b4c63a8e45a56baa91609f0aea18bbf2dac1458d5930fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 57d287bc18.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe -
Executes dropped EXE 10 IoCs
pid Process 2800 explorku.exe 5072 amers.exe 3988 axplons.exe 776 57d287bc18.exe 1708 explorku.exe 3696 axplons.exe 2652 explorku.exe 2224 axplons.exe 1628 explorku.exe 2260 axplons.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Wine amers.exe Key opened \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Wine axplons.exe -
resource yara_rule behavioral2/memory/236-1-0x0000000000C30000-0x000000000116D000-memory.dmp themida behavioral2/memory/236-3-0x0000000000C30000-0x000000000116D000-memory.dmp themida behavioral2/memory/236-4-0x0000000000C30000-0x000000000116D000-memory.dmp themida behavioral2/memory/236-6-0x0000000000C30000-0x000000000116D000-memory.dmp themida behavioral2/memory/236-5-0x0000000000C30000-0x000000000116D000-memory.dmp themida behavioral2/memory/236-8-0x0000000000C30000-0x000000000116D000-memory.dmp themida behavioral2/memory/236-2-0x0000000000C30000-0x000000000116D000-memory.dmp themida behavioral2/memory/236-0-0x0000000000C30000-0x000000000116D000-memory.dmp themida behavioral2/memory/236-7-0x0000000000C30000-0x000000000116D000-memory.dmp themida behavioral2/files/0x000100000002aa24-14.dat themida behavioral2/memory/2800-25-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2800-24-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2800-23-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2800-21-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2800-26-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/236-20-0x0000000000C30000-0x000000000116D000-memory.dmp themida behavioral2/memory/2800-30-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2800-29-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2800-27-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2800-28-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/files/0x000100000002aa29-69.dat themida behavioral2/memory/2800-83-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/776-86-0x0000000000E80000-0x00000000014F6000-memory.dmp themida behavioral2/memory/776-82-0x0000000000E80000-0x00000000014F6000-memory.dmp themida behavioral2/memory/776-87-0x0000000000E80000-0x00000000014F6000-memory.dmp themida behavioral2/memory/776-89-0x0000000000E80000-0x00000000014F6000-memory.dmp themida behavioral2/memory/776-91-0x0000000000E80000-0x00000000014F6000-memory.dmp themida behavioral2/memory/776-90-0x0000000000E80000-0x00000000014F6000-memory.dmp themida behavioral2/memory/776-88-0x0000000000E80000-0x00000000014F6000-memory.dmp themida behavioral2/memory/776-85-0x0000000000E80000-0x00000000014F6000-memory.dmp themida behavioral2/memory/776-84-0x0000000000E80000-0x00000000014F6000-memory.dmp themida behavioral2/memory/776-94-0x0000000000E80000-0x00000000014F6000-memory.dmp themida behavioral2/memory/1708-96-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/1708-98-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/1708-102-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/1708-103-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/1708-101-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/1708-100-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/1708-99-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/1708-97-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/1708-106-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2652-128-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2652-129-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2652-135-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2652-133-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2652-132-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2652-134-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2652-131-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2652-130-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/2652-139-0x0000000000E90000-0x00000000013CD000-memory.dmp themida behavioral2/memory/1628-171-0x0000000000E90000-0x00000000013CD000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\57d287bc18.exe = "C:\\Users\\Admin\\1000006002\\57d287bc18.exe" explorku.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 22f94cd50a4bdc1838b4c63a8e45a56baa91609f0aea18bbf2dac1458d5930fc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 57d287bc18.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 5072 amers.exe 3988 axplons.exe 3696 axplons.exe 2224 axplons.exe 2260 axplons.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\explorku.job 22f94cd50a4bdc1838b4c63a8e45a56baa91609f0aea18bbf2dac1458d5930fc.exe File created C:\Windows\Tasks\axplons.job amers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 5072 amers.exe 5072 amers.exe 3988 axplons.exe 3988 axplons.exe 3696 axplons.exe 3696 axplons.exe 2224 axplons.exe 2224 axplons.exe 2260 axplons.exe 2260 axplons.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 236 wrote to memory of 2800 236 22f94cd50a4bdc1838b4c63a8e45a56baa91609f0aea18bbf2dac1458d5930fc.exe 78 PID 236 wrote to memory of 2800 236 22f94cd50a4bdc1838b4c63a8e45a56baa91609f0aea18bbf2dac1458d5930fc.exe 78 PID 236 wrote to memory of 2800 236 22f94cd50a4bdc1838b4c63a8e45a56baa91609f0aea18bbf2dac1458d5930fc.exe 78 PID 2800 wrote to memory of 4520 2800 explorku.exe 79 PID 2800 wrote to memory of 4520 2800 explorku.exe 79 PID 2800 wrote to memory of 4520 2800 explorku.exe 79 PID 2800 wrote to memory of 5072 2800 explorku.exe 80 PID 2800 wrote to memory of 5072 2800 explorku.exe 80 PID 2800 wrote to memory of 5072 2800 explorku.exe 80 PID 5072 wrote to memory of 3988 5072 amers.exe 81 PID 5072 wrote to memory of 3988 5072 amers.exe 81 PID 5072 wrote to memory of 3988 5072 amers.exe 81 PID 2800 wrote to memory of 776 2800 explorku.exe 82 PID 2800 wrote to memory of 776 2800 explorku.exe 82 PID 2800 wrote to memory of 776 2800 explorku.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\22f94cd50a4bdc1838b4c63a8e45a56baa91609f0aea18bbf2dac1458d5930fc.exe"C:\Users\Admin\AppData\Local\Temp\22f94cd50a4bdc1838b4c63a8e45a56baa91609f0aea18bbf2dac1458d5930fc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"3⤵PID:4520
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3988
-
-
-
C:\Users\Admin\1000006002\57d287bc18.exe"C:\Users\Admin\1000006002\57d287bc18.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:776
-
-
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1708
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3696
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2652
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2224
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1628
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD529ae760d21e9a54c50daaf021b7e2ffc
SHA11114b6e97e0da531fd763aaf46146908f8a067a9
SHA2568a77b3b86e0da5f55e682ea9871014ec07ee7813a88a26f74dd0747675959d55
SHA512f5ac0e28451d9b81eb7b891d4e9555104d418b8f68cddf82fa210e6a642339a6e6f1c795257c219dd01d225420c37962813931a27d3049e4fea2430867f9ca50
-
Filesize
1.8MB
MD576b3df90091f71476b4f7dbbe57aabad
SHA1b8d504ed9a2bc2b88a7561df8359977054c2432f
SHA2569b0acd138f37415b01b9c5bba267c2fbe893fff81d109f886a1cf4edb8443220
SHA512dd6071855345d17df57cafb75dd54363fc5da4f84e0a71920db3eb10c4dcc1a484d8dcfe1541f127afefd3167dfa22e078dfbb4f07cb4989338eb0ac2c8ee5d8
-
Filesize
1.7MB
MD5a17bd6b4ee07b365e33aa38df7fedefa
SHA19a2c7bffa09f139dc6e3bf8182c82b4aba8d7bf6
SHA25622f94cd50a4bdc1838b4c63a8e45a56baa91609f0aea18bbf2dac1458d5930fc
SHA5127e4f0315371f75c72a78f306d4714f0e812d465fe3759526aa3c1e5a81c6de8e43c0468caa3e5814e115309a5e2da9576c8cdef7b10bc1517406454fbdbf049b